ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to modify dssec.dat to get the ACL Editor to display specific attributes


Member

Posts: 16
Date: Jun 1, 2011
How to modify dssec.dat to get the ACL Editor to display specific attributes
Permalink  
 


Hi. I'd like to know how to modify dssec.dat file so I can have the ACL Editor display certain attributes that we'd like to use to delegate specific modifications for a service account.

I've noticed that certain attributes have a 0 value assigned, while others have 1 assigned, and still some have 7 assigned. Does anyone know what these are for, and how what value I should be setting these to to have ACL editor show them for us to be able to grant some permissions?

By the way, Microsoft really ought to make it simple to delegate admin tasks and access in Active Directory. So much complicated technology, although powerful, makes this complex, and complexity is the enemy of security.



__________________


Member

Posts: 9
Date: Jun 16, 2011
How to modify dssec.dat to get the ACL Editor to display specific attributes
Permalink  
 


Hey John,

I could not agree with you more that Microsoft really needs to make delegation of administration so much more easier and manageable.

It requires us to waste so much time learning all these esoteric concepts and ideas just to delegate stuff, not to mention that its virtually impossible to accurately find out who is delegated what access on a single object, let alone the entire domain.

Anyway, to answer your question, here are the meanings of the 3 values -

0 - Display both Read and Write permissions for a property

1 - Display only the Write permissions for a property

2 - Display only the Read permissions for a property

By the way, after you've edited and saved your dssec.dat file, don't forget to close and then re-open the Active Directory Users and Computers Snap-In.

As a security precaution, personally, I always make a copy of the dssec.dat file, in case I end up making an accidental deletion or a mistake.

Hope this helps.

>- Matt.

 



__________________

Go Aussie!



Member

Posts: 16
Date: Jul 12, 2011
RE: How to modify dssec.dat to get the ACL Editor to display specific attributes
Permalink  
 


Hi Matt,

Thanks for very much for helping me out - this info is exactly what I was looking for.

We've gone ahead and delegated the most common of administrative tasks based on the princple of least rights, and we're feeling quite good about our delegation model.

Only problem is that while it was rather easy to delegate these administrative tasks quite precisely, because I'm not the only controlling access (i.e. there are other admins as well), we have no way of knowing if the delegations we initially made are still the same or whether they may have changed since.

Do you have any input on how to solve this problem as well? i.e. how to find out who is delegated what access in our Active Directory at any point in time?

Thanks in advance.

John 



__________________


Member

Posts: 9
Date: Jul 20, 2012
How to modify dssec.dat to get the ACL Editor to display specific attributes
Permalink  
 


Hi John,

Yes, we're using a tool called Gold Finger for Active Directory to find out who is delegated what tasks in our Active Directory. Its been very useful in doing permission analysis as well as in determining effective access in our AD, and its worked out quite well for us.

In case it helps, here's a pointer -  www.paramountdefenses.com/goldfinger

Good luck to you mate!

>- Matt.



__________________

Go Aussie!

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me